SmeshApp: Cyberterrorism is real, but what is it and what can we do about it?

The alleged use of SmeshApp by Pakistani intelligence agencies to aid in the Pathankot attack heralds the dawn of cyberterrorism.

By Asheeta Regidi

The increasing use of technology and the highly digitised world we live in made cyberterrorism a possibility a long time ago. The alleged use of SmeshApp by Pakistan Intelligence Agencies to spy on Indian army personnel is a rude reminder that cyberterrorism is more than a mere possibility, it's real.

Indian army personnel were tricked into installing SmeshApp on their smartphones. This gave Pakistan access to a wealth of critical security information such as troop movements and the counter-terrorism moves of the army. The data collected through this app also may have been used to aid the Pathankot attack. If confirmed, this will be the first major incident of cyberterrorism in India.

What forms can cyberterrorism take?

Cyberterrorism, generally speaking, is the use of computers to commit terrorist attacks. The target of the attack might be computers, information systems and data. This data may be used to conduct terrorist activities in the real world. Section 66F of the Information Technology Act, 2000 defines cyberterrorism and identifies two types of attacks.

One form of cyberterrorism is when a computer system is hacked into to access restricted information, such as military information. The disclosure of such information will be a threat to the security or integrity of the nation. The use of SmeshApp directly demonstrates this type of cyberterrorism. Once installed, this app allegedly collected information on the soldiers’ every movement, which included phone logs, texts, e-mails and even real-time geolocation information (GPS data).

It is also feared that pictures were surreptitiously clicked through the hacked smartphones. The data collected from each individual soldier’s phone collectively revealed crucial security information to the spies. The spies also lured the soldiers using fake Facebook accounts. Once they were befriended, they hacked into the soldiers’ personal computers. There is no way of estimating how much confidential information the spies had access to through these systems.

The hacking and defacement of Indian government websites is very commonly reported. There is a wealth of confidential information which is available on these websites, and it can be stolen by the hackers. In the past however, actual theft of this information has not been reported.

Another form of cyberterrorism is when the hacking of a computer or introducing a virus into a computer results in a threat to people. For example, a hacker may hack into a hospital’s computer systems and make changes which will result in the administration of wrong medicines to patients. This can be fatal for the patients and at the very least, will severely affect their health. Another example of this type of attack is when people are denied access to critical systems such as mobile phone networks.

This form of cyberterrorism actually happened in Estonia, which faced a large scale ‘distributed denial of service’ attack in 2007. The highly technologically dependent state was rendered completely offline for a period of three weeks. Access to Estonia’s online infrastructure was completely blocked, which stopped essential services such as mobile phone networks, the internet, online banking and government services.

As cities become increasingly dependent on technology to operate, they become increasingly vulnerable to cyber terrorism. Any system which uses computers or software can be affected this way. For example, the GPS tracking systems which are so common in taxis these days can easily be the object of an attack.

Hackers, software developers can be held liable

The SmeshApp spying scandal reveals a wide range of people who would have been involved in the attack. For example, the app will have needed software developers to create the apps. It would have needed expert hackers who could hack into and take over the smartphones and computers of soldiers. Yet other experts would have been involved for the collection and analysis of the data from the hacked systems.

For instance, if the collected data is encrypted, experts will be required to decrypt it. Under the provisions of the IT Act, not only the hackers themselves, but anyone conspiring with them to commit cyberterrorism will also be liable. This will include all such hackers and other experts involved, including the persons who created the fake Facebook accounts.

If such a person did not know what the app was being used for, then he may not be liable for cyberterrorism specifically. For cyberterrorism, these persons will be punishable with imprisonment for life under the Information Technology Act. These persons will also be punishable under other Indian terrorism laws.

Computers Aiding 26/11 Attacks

Apart from a few isolated incidents around the world, cyberterrorism has been rare. The use of computers to aid terrorist attacks, however, is not so rare, even in India.  In fact, they were used extensively to aid the 26/11 attacks. Google Maps was used to guide the terrorists into the city, and Voice-over-IP systems using fake routers were used to communicate. The terrorists also attempted to hack into hotel computers to acquire information on the people staying in the hotels.

The targets of the attack, the two luxury hotels and the Jewish hotel, were also searched for and finalised on the basis of an online search. The sad part is that intelligence agencies abroad and in India had access to this information, but were unable to figure out the terrorists’ plan in time. E-mail routers were also used to send e-mails from fake IP addresses in the Ahmedabad blasts of 2008. This use of computers to aid terrorist attacks is, however, not ‘cyberterrorism’. This is, at best, one of the major drawbacks of technology.

Terrorists are becoming more and more familiar with technology. The more tech-savvy they become, the larger the avenues of cyberterrorism that will open up for them. The Indian army has issued a new internet advisory after the SmeshApp incident came to light. However, in view of the extent of information that may have been revealed, a lot of the damage has already been done.

It is surprising that these measures were not already in place, but it is also possible that the reality of cyberterrorism as a threat did not hit until now. It is hoped that now, stricter measures will be put in place to guard against cyberterrorism.

The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject.

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.